otwcode · brianjaustin · Dec 23, 2024 · Dec 23, 2024 · Dec 23, 2024 · Dec 23, 2024
diff --git a/app/controllers/languages_controller.rb b/app/controllers/languages_controller.rb
@@ -30,20 +30,8 @@ def edit
   def update
     @language = Language.find_by(short: params[:id])
     authorize @language
-
-    if !policy(@language).can_edit_non_abuse_fields? && ((language_params[:name].present? && language_params[:name] != @language.name) || (language_params[:short].present? && @language.short != language_params[:short]) || (language_params[:sortable_name].present? && @language.sortable_name != language_params[:sortable_name]) || (language_params[:support_available].present? && @language.support_available != (language_params[:support_available] == "1")))
-      flash[:error] = t("languages.update.non_abuse_field_error")
-      redirect_to languages_path
-      return
-    end
-
-    if !policy(@language).can_edit_abuse_fields? && language_params[:abuse_support_available].present? && (@language.abuse_support_available != (language_params[:abuse_support_available] == "1"))
-      flash[:error] = t("languages.update.abuse_field_error")
-      redirect_to languages_path
-      return
-    end
 
-    if @language.update(language_params)
+    if @language.update(permitted_attributes(@language))
       flash[:notice] = t("languages.successfully_updated")
       redirect_to languages_path
     else

diff --git a/app/policies/language_policy.rb b/app/policies/language_policy.rb
@@ -10,6 +10,18 @@ def edit?
     user_has_roles?(LANGUAGE_EDIT_ACCESS)
   end
 
+  # Define which roles can update which attributes
+  ALLOWED_ATTRIBUTES_BY_ROLES = {
+    "superadmin" => %i[name short support_available abuse_support_available sortable_name],
+    "translation" => %i[name short support_available abuse_support_available sortable_name],
+    "support" => %i[name short support_available sortable_name],
+    "policy_and_abuse" => %i[abuse_support_available]
+  }.freeze
+
+  def permitted_attributes
+    ALLOWED_ATTRIBUTES_BY_ROLES.values_at(*user.roles).compact.flatten
+  end
+
   def can_edit_abuse_fields?
     user_has_roles?(%w[superadmin translation policy_and_abuse])
   end

diff --git a/config/locales/controllers/en.yml b/config/locales/controllers/en.yml
@@ -107,9 +107,6 @@ en:
   languages:
     successfully_added: Language was successfully added.
     successfully_updated: Language was successfully updated.
-    update:
-      abuse_field_error: Sorry, only an authorized admin can update the 'Abuse support available' field.
-      non_abuse_field_error: Sorry, only an authorized admin can update fields other than 'Abuse support available'.
   muted:
     users:
       create:

diff --git a/spec/controllers/languages_controller_spec.rb b/spec/controllers/languages_controller_spec.rb
@@ -174,7 +174,6 @@
           name: "Suomi",
           short: "fi",
           support_available: "1",
-          abuse_support_available: "1",
           sortable_name: ""
         }
       }
@@ -184,11 +183,7 @@
       {
         id: finnish.short,
         language: {
-          name: "Suomi",
-          short: "fi",
-          support_available: "0",
-          abuse_support_available: "0",
-          sortable_name: ""
+          abuse_support_available: "0"
         }
       }
     end
@@ -243,10 +238,13 @@
       let(:admin) { create(:admin, roles: ["policy_and_abuse"]) }
       before do
         fake_login_admin(admin)
-        put :update, params: language_params
       end
-      it "redirects with error" do
-        it_redirects_to_with_error(languages_path, "Sorry, only an authorized admin can update fields other than 'Abuse support available'.")
+      it "throws error and doesn't save changes to non-abuse field" do
+        expect do 
+          put :update, params: language_params
+        end.to raise_exception(ActionController::UnpermittedParameters)
+        finnish.reload
+        expect(finnish.support_available).to eq(false)
       end
     end 
 
@@ -275,10 +273,13 @@
       let(:admin) { create(:admin, roles: ["support"]) }
       before do
         fake_login_admin(admin)
-        put :update, params: language_params
       end
-      it "redirects with error" do
-        it_redirects_to_with_error(languages_path, "Sorry, only an authorized admin can update the 'Abuse support available' field.")
+      it "throws error and doesn't save changes to abuse_support_available field" do
+        expect do 
+          put :update, params: language_params
+        end.to raise_exception(ActionController::UnpermittedParameters)
+        finnish.reload
+        expect(finnish.abuse_support_available).to eq(true)
       end
     end